Upgrading a TDE system
These options to pg_upgrade help with upgrading encrypted clusters.
--copy-by-block
Copy files to the new cluster block by block instead of the default, which is to copy the whole file at once. This option is the same as the default mode but somewhat slower. It does, however, support upgrades between clusters with different encryption settings.
You must use this option when upgrading between clusters with different encryption settings, that is, unencrypted to encrypted, encrypted to unencrypted, or both encrypted with different keys. While copying files to the new cluster, it decrypts them and reencrypts them with the keys and settings of the new cluster.
For added certainty, if the old cluster is encrypted and the new cluster was initialized as unencrypted, this option decrypts the data from the old cluster and copies it to the new cluster unencrypted. If the old cluster is unencrypted and the new cluster was initialized as encrypted, this option encrypts the data from the old cluster and places it into the new cluster encrypted.
See the description of the initdb --copy-key-from=<file> option for information on copying a key from an existing cluster when preparing a new cluster as a target for pg_upgrade
.
--key-unwrap-command=<command>
Specifies a command to unwrap (decrypt) the data encryption key. The command must include a placeholder %p
that specifies the file to read the wrapped key from. The command needs to write the unwrapped key to its standard output. If you don't specify this option, the environment variable PGDATAKEYUNWRAPCMD
is used.
Use an empty string if you don't want to apply any key unwrapping command.
You must specify this option or the environment variable fallback if you're using data encryption. See Securing the data encryption key for more information.